Brian Waters | 13d9601 | 2017-12-08 16:53:31 -0600 | [diff] [blame^] | 1 | -------- |
| 2 | FOREWORD |
| 3 | -------- |
| 4 | |
| 5 | The patch in this folder allows Wireshark to process packets that contain TLS-protected |
| 6 | Diameter messages over SCTP multi-stream associations. Each SCTP stream pairs is handled |
| 7 | as a separate TLS channel (RFC3436), which is consistent with freeDiameter 1.0.x mechanism. |
| 8 | |
| 9 | It should be noted however that rfc3588bis (revised Diameter) recommends that DTLS is used |
| 10 | instead of TLS over SCTP, for the reasons highlighted in the introduction of RFC6083. |
| 11 | When this new mechanism is implemented in freeDiameter, a different patch will probably |
| 12 | be required for wireshark. |
| 13 | |
| 14 | |
| 15 | The instructions in this file will change your wireshark binary in a way suitable for |
| 16 | analysis of Diameter over TLS over SCTP, but may have unexpected side-effects |
| 17 | on some other protocols analysis (including DTLS). |
| 18 | |
| 19 | The instructions refer to Debian-style packaging (apt), you should adapt |
| 20 | the process to build a new modified package of wireshark for your distribution. |
| 21 | |
| 22 | The provided patch has been successfully tested with: |
| 23 | - wireshark-1.2.7 (Ubuntu Lucid) |
| 24 | - wireshark-1.2.11 (Ubuntu Maverick) |
| 25 | It may or may not work on more recent or ancient versions. |
| 26 | |
| 27 | |
| 28 | ------------ |
| 29 | INSTRUCTIONS |
| 30 | ------------ |
| 31 | |
| 32 | The steps are: |
| 33 | - get your wireshark source |
| 34 | apt-get source wireshark |
| 35 | cd wireshark-1.2.* |
| 36 | |
| 37 | - apply the patch |
| 38 | cat ~/wireshark-1.2.7-diameter-tls.patch | patch -p1 |
| 39 | |
| 40 | - increase the version number |
| 41 | dch -lfD "Added support for Diameter over TLS over SCTP" |
| 42 | |
| 43 | - Create a new package, this might take a while |
| 44 | fakeroot debian/rules binary |
| 45 | |
| 46 | - Install the modified version |
| 47 | sudo dpkg --install ../wireshark-common_*fD*.deb ../wireshark_*fD*.deb |
| 48 | |
| 49 | - Start the new wireshark: |
| 50 | wireshark & |
| 51 | |
| 52 | To analyze a capture file, you will need the private keys of both peers involved. |
| 53 | |
| 54 | Let's imagine for example: |
| 55 | peer A with IP address 192.168.0.10 has private key privA.pem |
| 56 | peer B with IP address 192.168.0.11 has private key privB.pem |
| 57 | |
| 58 | In wireshark you must do the following: |
| 59 | - go to menu Edit->Preferences |
| 60 | - In the left panel, under Protocols, scroll to "SSL" and select it. |
| 61 | - In the right panel, fill "RSA keys list" as follow: |
| 62 | 192.168.0.10,3869,diameter,/absolute/path/to/privA.pem;192.168.0.11,3869,diameter,/absolute/path/to/privB.pem |
| 63 | - You may find also useful to select an SSL debug file to get a hint of any problem. |
| 64 | |
| 65 | Once this configuration is complete, you should be able to see the contents of SCTP packets, |
| 66 | including protected Diameter payload. |
| 67 | |
| 68 | Check the "sample" subdirectory for a test capture file. |